This content originally appeared on DEV Community and was authored by david wyatt
Oh have I wanted to talk about the Default environment (or as I generally call it Personal Productivity). Its probably had the biggest impact on my thoughts on the Power Platform more then any other part of it.
I'm sure everyone knows what the Default environment is, but just in case you don't, it is the 'Default' environment for the Power Platform. You have to have it and every one with a license has access to it.
So lets look at the good, and the bad.
The simple fact is I would not be where I am today without the Default environment. Because Microsoft enforces the environment and the controls you have over it (more on that later), it meant that it was my first taste of the platform.
I wasn't part of IT and there is no way I would have ever got access to it if there was any sort of control on it. But as it is it was there, I found it and I used it a lot. And that's its great strength, just like having Excel installed on your computer (because you have to open and read Excel files) you can make cool stuff on it. The is the core to self service and enabling citizen development, it removes all of the barriers and allows anyone to build.
And that's where the good stuff ends, now for the challenges.
So now that I'm on the other side as a platform admin I hate the Default environment, and so do most other IT domains (especially security), but why. Well there are 5 main reasons:
- Visibility
- DLP
- Sharing Controls
- Limits
- Shared Service
1. Visibility
As an admin the one thing I really want is visibility. I need to see what's on the platform and what it is doing, and the Default is just terrible.
Lets be honest here the whole platform isn't great for visibility but at least your non default environments have some sort of controls (well I hope they do) and there is less volume. Poor visibility on a small set of data is bad, but on volumes data it is exponentially worst.
Don't believe me, well lets do a small demo.
Quick call out, this is different if you have Dataverse flows, but unless you turned on 'Create new canvas apps and cloud flows in Dataverse solutions (Preview)' then they will not be in a solution. Also Default uses are significantly less likely to manually add to a solution, plus its preview so as a rule that isn't recommend in prod environments. Finally even if you have its the Default so bound to have thousands of legacy flows.
As an admin I want to see what a flow is doing, my steps are:
- Go to admin centre
- Select resources
- Select flows
- Find flow
- Share flow with me
That doesn't sound too bad I hear you saying but....
To find the flow you have to use the select flows menu:
Well that menu only returns 25 flows at a time, and even worst the filters are not delegated. So that means when you sort or filter, it only sorts/filters the flows you have returned (i.e. it only sorts the 25/50/75 flows you have requested, not the 1000+ you have).
Just imagine that, I want to find a flow, I have 5000 flows and I have to return it in blocks of 25 with no way to impact the 25 I receive in each block.
The API isn't much better as that only allows max 250 in each request and uses a pagination token (so I can't jump to the end and work backward, I have to go sequentially). And again it has no query functionality.
Second, for me to see it I have to get full edit/delete permissions, WHAT. Have you never heard of Polp (Principle of least privilege) Microsoft.
2. DLP
The Data Loss Prevention Policy is the main tool as an admin you have to protect your organisation. Its a great tool, but not so much when it comes to the Default and that's because of non-blockable connectors.
There are 24 connectors that you cannot block, so that means everyone in the Default can use them. Why is that so bad, well as example:
SharePoint & Dataverse - just imagine what sensitive data will be put there with zero governance or controls
Outlook - easiest way for nefarious agents to export data, and trust me with this one, someone will probably I cause issues on your exchange by sending far to many emails/requests
Power BI - just like outlook, someone is going to hit that sync/refresh far too much and throttle your network
On top of this, with Power Apps these connections can be used on-behalf-of by someone else (Want to see how see I've Just Been Hacked by a Power App).
3. Sharing Controls
Oh Microsoft why oh why. As I said above, Power Apps use on-behalf-of permissions, that's not far off sharing your password with someone. And the Default has no controls on sharing, you can share your app with everyone. And if you haven't turned off the option to 'Share with everyone' then they can do it with 1 click. And guess how you turn it off, that's right, no menu option, you have to do a Power Shell Script 🤷♂️.
That means anyone wanting to abuse those permissions for connections like Outlook can quicky share with hundreds if not thousands of people. And it will be wrapped in a safe looking Microsoft package from a trusted email.
Of course there is a fix for this, managed environments. But no surprise there, that's premium functionality. That's right, basic functionality like protecting your organisation is a premium.
"Want a lock with your car sir? that's not with the base package"
"You want a life vest under your seat, I'm afraid you have to pay extra for that madam"
4. Limits
Like the lack of Sharing Controls there are no limits. This again doesn't sound too bad, but just think about this, how creative are you citizen developers. Did you see what they did with Excel and Access, now imagine Power Apps and Power Automate.
I have already seen borderline full enterprise scale, business critical solutions built in the Default. Wow that's great, well yes it is until it breaks, or the person who built it leaves, then who has to pick up the pieces. The poor Platform Admin/CoE has to backward engine a solution that has no coding standards, no security considerations, and often is a square peg smashed into a round hole. Every platform admin has nightmares about the day the big one hits.
5. Shared Service
Not many people realise this but the Default is kind of like that Kitchen draw we all have, with every random thing we don't know where to put.
Just to name a few:
- Click on create a flow in SharePoint, that creates one in the Default.
- Want to use the improved form in a list, that's in the Default.
- Want to run a flow from a Power BI button, that's in the Default.
- Install the new Sustainability App, that spins up its own environment
- Even Project leverages some flows in the Default to sync data between Road Maps and Projects.
- New Teams Workflow App, that's just the Default with a Teams connector filter
This interconnection makes life so difficult for admins, as often these systems are not controlled by one team. So if the Power Platform admin changes a setting, they can end up breaking something in someone else's domain like SharePoint. Likewise they can change a setting and it break something in the Power Platform, and because we don't often know about the connections it can cause all sorts of pain.
And breath.... yep that ones been building for a while.
I do get it, I know why Microsoft have done this, and ironically its for people like me. I have no IT background and having access to the Power Platform through the Default has allowed me to find a career in IT.
But is it worth it, is it worth the risk? Until something bad happens I don't think it will change (plus its a hell of a way to sell Premium licenses), but if there is a incident, or a big customer won't adopt until the Default is controlled, then you never know.
This content originally appeared on DEV Community and was authored by david wyatt
david wyatt | Sciencx (2024-09-16T06:25:29+00:00) Let’s Talk About the Power Platform Default Environment. Retrieved from https://www.scien.cx/2024/09/16/lets-talk-about-the-power-platform-default-environment/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.